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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12-29- 
2008 has been entered. 

2. Claims 1-18 and 29-38 are pending and have been examined. 

Response to Arguments 

3. Applicant's arguments filed 12-29-2008 have been fully considered but they are 
not persuasive. 

The Applicant argues that the claimed invention may be distinguished from the 
teachings of Schultz 2003/0065926 A1 , and Jordan 7,210,040, by asserting that the 
combination fails to teach "...performing a predetermined responsive action with respect 
to the process if the second risk level exceeds the threat detection threshold." However 
the Examiner maintains that such a step is indeed taught by Schultz at, for example the 
logging and notifications steps disclosed in paragraph [0023]. 
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Claim Rejections - 35 USC § 101 

4. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

5. Claims 1-18 and 38 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

As for claim 1 , the claim is directed towards a method for assigning risk to a 
section of executable computer code. As such, the claim is directed towards a 
fundamental principle similar to a law of nature or a mathematical algorithm. However, 
the claim does not set forth any limitations that explicitly tie the method to a particular 
machine, or that limit the claim to the transformation of an article into another state or 
thing. See In re Bilski, (Fed. Cir, Oct 30, 2008). Nowhere does the claim set forth a 
limitation wherein the risk assigned to the executable code is itself incorporated into 
computer code that is embodied in a tangible computer-readable storage medium, or 
that the method steps are carried out by a processor. 

Claims 2-18 are dependent on claim 1 and do not cure its deficiency. Therefore 
these claims are rejected on the same basis as claim 1 . 

As for claim 38, the claim is directed towards "...a computer program product for 
providing computer security, the computer program product being embodied in a 
computer readable medium." However, as per the Applicant's Specification on page 4 
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lines 2-5, the medium may be an electromagnetic data signal in a transmission medium. 
As such, the claim is directed towards non-statutory subject matter. The claim sets forth 
only functional descriptive language and is non-statutory since this does not fall into one 
of the classes of invention eligible for the grant of a US patent. Unless embodied in a 
tangible computer-readable medium the software in and of itself cannot be considered 
as a computer component, and hence cannot effect a change of state of a processor to 
produce a useful or tangible result. From 2106.01: Computer-Related Nonstatutory 
Subject Matter: Descriptive material can be characterized as either "functional 
descriptive material" or "nonfunctional descriptive material." In this context, "functional 
descriptive material" consists of data structures and computer programs which impart 
functionality when employed as a computer component. (The definition of "data 
structure" is "a physical or logical relationship among data elements, designed to 
support specific data manipulation functions." The New IEEE Standard Dictionary of 
Electrical and Electronics Terms 308 (5th ed. 1993).) "Nonfunctional descriptive 
material" includes but is not limited to music, literary works, and a compilation or mere 
arrangement of data. Both types of "descriptive material" are nonstatutory when claimed 
as descriptive material per se, 33 F.3d at 1360, 31 USPQ2d at 1759. When functional 
descriptive material is recorded on some computer-readable medium, it becomes 
structurally and functionally interrelated to the medium and will be statutory in most 
cases. 
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Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 1-6, 18, 37, and 38 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Schultz et al., US 2003/0065926 A1, and Jordan, 7,210,040. 

As for claim 1 , Schultz teaches a method for providing computer security, 
comprising: determining whether an executable associated with a static state meets a 
predetermined criterion [0021], [0022]; associating a first risk level with the executable 
[0038], if it is determined that the executable meets the predetermined criterion [0040]; 
updating the first risk level to a second risk level that is higher than the first risk level if 
a process started by the executable is observed to perform or attempt an action with 
which the second risk level is associated [0108]; and performing a predetermined 
responsive action with respect to the process if the second risk level exceeds the threat 
detection threshold [0022], [0023]; wherein determining whether the executable meets 
the predetermined criterion does not compare the executable with a virus signature 
[0042]. Schultz does not explicitly disclose the step wherein the step of updating the 
first risk level to a second risk level higher than the first if a process started by the 
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executable has been allowed to execute. However, Jordan does teach this step 
wherein a process started by an executable is permitted to execute prior to a 
determination being made as to the risk associated with that process, (figure 2, col. 5 
lines 35-40). Therefore it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to incorporate this feature into the system of Schultz. 
It would have been obvious to do so since this would allow for monitoring in real time 
any suspicious executable files and increase the accuracy of risk detection. 

As for claims 37 and 38: Claim 37 represents the apparatus configured to carry 
out the method steps of claim 1 , Claim 38 represents the computer-program product 
that instructs a processor to undertake the method steps of claim 1 . Claims 37 and 38 
recite substantially the same limitations as claim 1 and are thereby rejected on the 
same basis as that claim. 

As for claim 2, Schultz discloses the method for providing computer security, 
wherein the risk level indicates a level of potential risk that will be brought by operating 
the executable (para. 0038, lines 3-6). 

As for claim 3, Schultz discloses the method for providing computer security, 
wherein the risk level indicates how much risk the executable presents (para. 0099, 
lines 1-15; para. 0100, lines 1-3). 
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As for claim 4, Schultz discloses the method for providing computer security, 
wherein the predetermined criterion includes a configuration criterion (para. 0036, lines 
11-14; para. 0119, lines 8-18). 

As for claim 5, Schultz discloses the method for providing computer security, 
wherein the predetermined criterion is used to determine whether the executable is 
configured as a service (para. 0103, lines 3-4). 

As for claim 6, Schultz discloses the method for providing computer security, 
wherein the predetermined criterion is used to determine whether the executable is 
configured to run under a high privileged account (para. 0040, lines 4-8). 

As for claim 18, Schultz discloses the method for providing computer security 
comprising associating with the executable a risk type indicating a type of risk to which 
the executable is vulnerable (para. 0038, lines 4-8; para. 0099, lines 4-12). 
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8. Claims 7, 8, 10, 12-17 and 29-34 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Schultz and Jordan, and further in view of Tajalli et al. (US 
2004/0143749 A1 ). 

As for claim 7, Schultz and Jordan disclose all the limitations of claim 7 except 
where the predetermined criterion is used to determine whether the executable is 
installed via a standard procedure. The general concept of whether the executable is 
installed via standard procedure is well known in the art as illustrated by Tajalli, which 
discloses controlling access to system resources by each process bases on a behavior 
control description for the process set to which it belongs (para. 0020, lines 5-7). 
Therefore it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schultz to in clued the use of a predetermined criterion to determine 
if the executable has not properly installed in order to prevent malicious code execution 
on a computer system, as well as to controlling access over malicious code. 

As for claim 8, Schultz and Jordan disclose all the limitations of claim 8 except 
the method for providing computer security, wherein the predetermined criterion is used 
to determine whether the executable has sufficient access control. The general concept 
of determining if the executable having sufficient access control is well known in the art 
as illustrated by Tajalli, which discloses access control engine to monitor access and 
use of critical system resources, in addition the IDS watches applications request and 



Application/Control Number: 10/782,396 Page 9 

Art Unit: 2437 

resources used, looking for request or uses that depart from acceptable use and 
behavior (para. 0081, lines 1-11; para. 0161, lines 12-14; para. 0175, lines 5-6). 
Therefore it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schultz to include the use of determining sufficient access control in 
order to control access rights to system resources. 

As for claim 10, Schultz and Jordan disclose all the limitations of claim 10, except 
the method of providing computer security, wherein the predetermined criterion is used 
to determine whether the executable is signed. The general concept of determining if 
the executable is signed is well known in the art as illustrated by Tajalli, which disclose 
that the IDS will check for encryption within the executable (para. 0161, lines 12-14; 
para. 0169, line 1). Therefore it would have been obvious for one of ordinary skill in the 
art at the time of the invention to modify Schultz to include the use of determining if the 
executable is signed in order to determine the origin of the executable, as public key 
cryptography bind the signer to the key. 

As for claim 12, Schultz and Jordan disclose all the limitations of claim 12 except 
providing compute security wherein, the predetermined criterion includes a capability 
criterion. The general concept of the predetermined criterion includes a capability 
criterion is well known in the art as illustrated by Tajalli, which discloses the 
predetermined criterion include capability (para. 0055, lines 1-2; para. 0175, lines 5-6). 
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Therefore it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schultz to include the use of a capability criterion in order to protect 
the system against attack. 

As for claim 13, Schultz and Jordan disclose all the limitations of the claim except 
the method for providing computer security wherein the predetermined criterion is used 
to determine whether the executable has networking capability. The general concept of 
determining if the executable has network capability is well known in the art as 
disclosed by Tajalli, which discloses network protection against malicious codes (para. 
0244, lines 1; 0251, lines 2-9; para. 0175, lines 5-6). Therefore it would have been 
obvious for one of ordinary skill in the art at the time of the invention to modify Schultz to 
include the use of determining if malicious code has network capability in order to 
protect the network against malicious codes that may cause damage to a network. 

As for claim 14, Schultz and Jordan disclose all the limitations of claim 14 except 
the method for providing computer security, wherein the predetermined criterion is used 
to monitor whether the executable has privilege manipulation capability. The general 
concept of determining whether the executable has privilege manipulation capability is 
well known in the art as illustrated by Tajalli, which discloses that the IDS would define 
modifying or manipulating registry keys as inappropriate behavior that would be blocked 
(para. 0050, lines 1-8). Therefore it would have been obvious for one of ordinary skill in 
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the art at the time of the invention to modify Schultz to include the use of determining if 
executable has privilege manipulation Capability in order to protect the system against 
malicious codes that may want to modify system registries. 

As for claim 15, Schultz and Jordan disclose all the limitations of claim 15 except 
the method for providing computer security, wherein the predetermined criterion is used 
to determine whether the executable has remote process capability. The general 
concept of determining if the executable has remote process capability is well known in 
the art as illustrated by Tajalli, which discloses the IDS is configured to control network 
services to include remote connection (para. 0236, lines 1-3; para. 0239, line 1). 
Therefore it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schultz to include the use of determining if malicious code has 
remote capability in order to prevent the network from being taking over by hackers that 
may use Trojan Horses to enter the network unchecked. 

As for claim 16, Schultz and Jordan disclose all the limitations of claim 16 except 
the method for providing computer security, wherein the predetermined criterion is used 
to determine whether the executable has process launching capability. The general 
concept of determining if the malicious code has process launching capability is well 
known in the art as illustrated by Tajalli, which discloses a malicious code initiate HTTP 
connection to other Web servers (para. 0244, lines 1-2; para. 0249, lines 1-2). 
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Therefore it would have been obvious for one ordinary skill in the art at the time of the 
invention to modify Schultz to include the use of determining if the malicious code has 
process launching capability in order to stop malicious code from executing and from 
calling other system resources from the network. 

As for claim 17, Schultz and Jordan disclose all the limitation of the claim except 
the method for providing computer security, wherein the predetermined criterion is used 
to determine whether the executable has secure algorithm. The general concept of 
determining if malicious codes has secure algorithm is well known in the at as illustrated 
by Taj alii, which discloses the IDS controls access to any attributes of files or directories 
including if encryption present for the malicious code (para. 0217, lines 1-2; para. 0222, 
line 1). Therefore it would have been obvious for one of ordinary skill in the art at the 
time of the invention to modify Schultz to include the use of determining if the malicious 
code has secure algorithm, in order to protect against virus that uses encrypted code to 
hide their payload from virus protection mechanism. 

As for claim 29-31 , Schultz and Jordan disclose all the limitation of the claims 
except the method for providing computer security comprising analyzing historical 
evidence; the historical evidence include a record of activities and log file. The general 
concept of analyzing historical evidence is well known in the art as illustrated by Tajalli, 
which discloses the use of historical evidence (para. 0091, lines 1-7; para 0097, line 1). 
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Therefore it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schultz to include the use of analyzing historical evidence, record 
activities and log file in order to assign processes into their proper category, thus that 
new policy may be implemented more effectively. 

As for claim 32, Schultz and Jordan disclose all the limitations of the claim except 
the method for providing computer security wherein the historical evidence includes a 
system optimization file. The general concept of the historical includes a system 
optimization file is well known in the art by Tajalli, which disclose a communication 
module to retrieve configuration or log data and returns them, in addition the 
communication module can retrieve data from disk or from the engine, and request alert 
when unusual event occur (para 0090, lines 3-8). System optimization file or swap files 
resides on disk. Therefore it would have been obvious for one of ordinary skill in that art 
at the time of the invention to modify Schultz to include the use of swap file in order to 
obtain information that are relevant to build system policy. 

As for claims 33 and 34, Schultz and Jordan disclose all the limitation of the 
claims except the method for providing computer security, wherein historical evidence 
includes a crash dump. The general concept of the historical evidence includes a crash 
dump is well known in the art as illustrated by Tajalli, which discloses a communication 
module that monitors local log files, transfers log data to a management infrastructure 
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and request alerts when unusual events occur (para. 0090, lines 3-8). Therefore it 
would have been obvious for one of ordinary skill in the art at the time of the invention to 
modify Schultz to include the use a crash dump file and prefetch file in order to gather 
information when system failure occur. 

9. Claims 9, 1 1 , 35, and 36 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Schultz and Jordan in view of Khazan et al. (US 2005/0108562 A1). 

As for claims 9 and 1 1 , Schultz and Jordan disclose all the limitations of the 
claims except the method of providing computer security wherein the predetermined 
criterion is used to determine whether the executable is recent and determine whether 
the executable has a modified date different from the created date. The general concept 
of determining whether the executable is recent and determining whether the 
executable has a modified date different from the created date is well known in the art 
.as illustrated by Khazan, which discloses analyzing the executable when modification 
take place (para. 0107, lines 14; para. 0115, lines 1-19). Therefore it would have been 
obvious for one of ordinary skill in the art at the time of the invention to modify Schultz to 
include the use of Khazan in order to verify whether modification has taken place within 
the executable. 
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As for claims 35 and 36, Schultz and Jordan discloses all the limitation of the 
claims except the method for providing computer security, comprising performing a 
dynamic risk analysis, and determining whether an action is required. The general 
concept of performing dynamic analysis and determining whether an action is required 
is well known in the art as illustrated by Khazan, which discloses static and dynamic 
analyzer (para. 0040, lines 12-13, and whether an action is required (para. 0099, lines 
7-1 1 , lines 21 -26). Therefore it would have been obvious for one of ordinary skill in the 
art at the time of the invention to modify Schultz to include the use of dynamic analyzer 
to determine whether an action is required in order to protect compute systems against 
malicious codes. 



Conclusion 

1 0. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paul E. Callahan whose telephone number is (571) 272- 
3869. The examiner can normally be reached on M-F from 9 to 5. 

If attempts to reach the examiner by telephone are unsuccessful, the Examiner's 
supervisor, Emmanuel Moise, can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is: (571) 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
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Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



/Paul Callahan/ 
Examiner, Art Unit 2437 

/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



